Re: Trust intermediate CA for client certificates
| От | Ian Pilcher |
|---|---|
| Тема | Re: Trust intermediate CA for client certificates |
| Дата | |
| Msg-id | 529CE9F7.6090300@gmail.com обсуждение исходный текст |
| Ответ на | Re: Trust intermediate CA for client certificates (Andrew Dunstan <andrew@dunslane.net>) |
| Ответы |
Re: Trust intermediate CA for client certificates
|
| Список | pgsql-hackers |
On 12/02/2013 02:01 PM, Andrew Dunstan wrote: > AIUI, you need a complete chain from one end to the other. So the cert > being checked can include the intermediate cert in what it sends, or it > can be in the root.crt at the other end, but one way or another, the > checking end needs a complete chain from a root cert to the cert from > the other end. Yes. And the problem is that there is no way to prevent OpenSSL from accepting intermediate certificates supplied by the client. As a result, the server cannot accept client certificates signed by one intermediate CA without also accepting *any* client certificate that can present a chain back to the root CA. Frankly, this whole conversation reinforces my belief that this behavior is so counter-intuitive that it really should be changed. GnuTLS for the win? -- ======================================================================== Ian Pilcher arequipeno@gmail.com Sent from the cloud -- where it's alreadytomorrow ========================================================================
В списке pgsql-hackers по дате отправления: